Risk Management Strategy & Policy

Risk Management Strategy & Policy

March 2016

This document provides an explanation of the vision and processes adopted by Locala Community Partnerships CIC and its subsidiaries to manage risk and provide Management and Board assurance. It combines both strategy and policy for the management of strategic and operational risks

1. Vision

1.1. As a social enterprise we want to build ownership and accountability and make managing risk everyone’s responsibility. We also want to make risk management a practical, rather than bureaucratic part of what we do.

2. Introduction and aims

2.1. Locala is committed to developing and implementing a risk management strategy and policy that will identify, analyse, evaluate and control the risks that threaten the delivery of its objectives. The Strategic Risk Register and Business Assurance Map will be used by the Board to identify, monitor and evaluate risks. It will be considered alongside other key management tools, such as performance and quality dashboards, and financial reports, to give the Board a comprehensive picture of the organisational risk profile.

2.2. The purpose of this document is to provide guidance to all staff on the management of strategic and operational risks within the organisation. It aims to: set out respective responsibilities for strategic and operational risk management for the Board and staff colleagues throughout the organisation; and describe the procedures to be used in identifying, analysing, evaluating and controlling risks to the delivery of objectives.

2.3. The objectives of Locala’s risk management policy are to:

minimise the chances of potential harm to patients, staff colleagues, other assets and Locala’s reputation by effective risk identification, prioritisation, treatment and management – reduce the consequences should these risks occur;
maintain a risk management framework, which provides assurance to the Board that strategic and operational risks are being managed effectively;
maintain a cohesive approach to corporate governance and effectively manage risk management resources;
ensure that risk management is an integral part of the Locala culture.

2.4. Put simply, risk is defined as ‘something that may happen with a negative impact’; in reality there will always be some things that ‘have happened with a negative impact’ – these are classified as ‘Issues’.

3. Scope

The Risk Management Strategy and Policy covers the management of strategic and operational risks. Strategic risks are significant risks that have the potential to impact across the organisation and are raised and monitored by EMG and the Board. Operational risks are keys risks that impact on individual service or corporate enabler areas and are managed locally.
This policy applies to all colleagues.
The risk management strategy is intended to cover all the potential risks that the organisation could be exposed to, including clinical risks such as patient safety and harm reduction.

4. Risk Appetite

Locala is a social enterprise operating in a regulated environment. Our values include:
Be accountable

Innovate, challenge and improve

Be Inspirational

We, therefore,encourage all our colleagues to take assessed risks which are communicated – in an effort to make what we do more effective, efficient and innovative wherever possible. However we mustall ensure our standards of patient care and financial practice meet professional and regulatory standards and be prepared to say when these standards are put at genuine risk – safe in the knowledge that we will be supported by senior colleagues in doing so.

In January 2016 the Board agreed a shift in their appetite for risk in view of the growing maturity of the organisation and the securing of a long term community health services contract in October 2015. This shift can be summarised as the acceptance of an increased level of risk in all areas with the appetite for risk with regard to Financial/Value for Money issues and Innovation being slightly higher than in Compliance/Regulatory and Reputational matters.

5. Duties and responsibilities

The following paragraphs set out the respective risk management duties and responsibilities for specific groups and individual colleagues – this covers all types of risk.

The Board

5.1. Executive and non-executive directors share responsibility for the success of Locala, including the effective management of risk and compliance with relevant legislation. In relation to risk management the Board is responsible for:

articulating the objectivesand strategic risks for the organisation;
protecting the reputation of Locala;
providing leadership on the management of risk;
determining the risk appetite for Locala;
ensuring the approach to risk management is consistently applied;
ensuring that assurances demonstrate that risk has been identified, assessed and all reasonable steps taken to manage it effectively and appropriately; and endorsing risk related disclosure documents.

Audit & Risk Committee (ARC)

5.2 In relation to risk management, the ARC is responsible for reviewing the adequacy and effectiveness of:

all risk and control related disclosure statements (in particular the Annual Governance Statement), prior to endorsement by the Board of Directors; and the underlying assurance processes that indicate the degree of achievement of corporate objectives, the effectiveness of the management of principal risks and the appropriateness of disclosure documents.ARC receive and review work donemanagement, Internal and External Audit along with any other external reports to assess the effectiveness of risk management and management control.

Finance, Performance & Quality Committee

5.3 The duty of the Committee is to provide the necessary assurance to the Board, that financial and operational performance of Locala, and therefore risk, is being effectively managed. This includes:

a. Quality – Covering clinical effectiveness, patient safety and patient experience. A key focus will be the Quality Priorities.

b. Finance & Performance – Activity and income, costs, KPIs, Workforce, Business Development.

c. Operating Plan

d. Transformation projects i.e. via the Transformation Management Group.

Internal Auditors

5.4The internal auditors are responsible for agreeing (with the ARC) a programme of audits which assess the exposures and adequacy of mitigation of the principal risks affecting the organisation. The priorities contained in the internal audit programme should reflect the risk evaluation set out in the Corporate Risk Register and Business Assurance Map. The reports and advice produced by internal audit should inform the management of risk by the relevant risk owners, as set out in the following paragraphs.

Chief Executive

5.5. As Accountable Officer, the Chief Executive has responsibility for maintaining a sound system of internal control that supports the achievement of the organisation’s objectives. To fulfil this responsibility the Chief Executive will:

ensure that management processes fulfil the responsibilities for risk management as set out in the Risk Strategy and Policy;
ensure that full support and commitment is provided and maintained in every activity relating to risk management ;
plan for adequate staffing, finances and other resources, to ensure the management of those risks which may have an adverse impact on the staff, finances or stakeholders of the Locala;
ensure an appropriate Corporate Risk Register and Business Assurance Map is prepared and regularly updated and receives appropriate consideration; and
ensure that an Annual Governance Statement, adequately reflecting the risk management issues within Locala, is prepared and signed off each year.

Executive Management Group

5.6. The executive team willkeep the principal corporate risks under regular review. Members of EMGare the senior responsible officers (SROs) for their respective areas of the business and will ensure that within their teams all risk management issues are coordinated, managed, monitored and reviewed including:

notifying their teams of any strategic risks to the delivery of defined objectives or escalating operational problems for onward reporting;
ensuring that appropriate KORS are maintained and actively managed within their areas of responsibility;
ensuring colleagues comply with all organisational policies and procedures;
leading the management of risk by devising short, medium and long-term strategies to tackle identified risk, including the production of any action plans;
ensuring all staff fulfil their responsibility for risk management by identifying, reporting, monitoring and managing risk
ensuring that all activities undertaken within their areas of responsibility are consistent with the safe operation of Locala; and recommending to the Board of Directors the raising and closing of identified risks, using the Corporate Risk Register and Business Assurance Map.

Scrutiny Management Group (SMG)

5.7. SMG’skey duties are to hold to account, scrutinise and support: achievement of the Operating Plan objectives; operational performance and to ensure Locala meets regulatory requirements. They are responsible for reviewing the key operational risks within Locala and escalating risks to EMG as appropriate via the KORS. Discussion at SMG enables risks to be understood and shared across the Business Units and corporate enabler functions and, where appropriate, taken back to team meetings for consideration in their management team meetings.

Transformation Management Group (TMG)

5.8. TMG’s key duties are to agree, develop and commission transformation to support Locala’s drive for enhancing patient care and/or cost improvement and; monitor implementation and hold to account regarding achievement of the expected benefits of the transformation. They are responsible for reviewing the transformational risks within Locala and the external environment and escalating risks to EMG as appropriate via the KORS. Discussion at TMG enables risks to be understood and shared across Locala and, where appropriate, taken back to team meetings for consideration in their management team meetings.

Business Unit Management Teams

5.9. Management Team members provide the ‘backbone’ for identification and assessment of ‘bottom up’ risk. The Quality, Operational, Business Development and Customer Engagement Managers, along with their Finance and HR Business Partners, analyse a wide range of intelligence and information from a service level. They report and take decisions on this at Team meetings and escalate as necessary, through the Heads of Operations to SMG and to their Enabler line managers.

Staff colleagues

5.10. All colleagues are responsible for maintaining risk awareness, identifying and reporting risks as appropriate to their line manager. In addition, they will ensure that they familiarise themselves and comply with the policies and procedures of Locala and attend mandatory and other relevant training courses.

6. Risk management policy and procedure guidance

The following paragraphs set out the processes to be followed in identifying and managing risks to the achievement of the Locala’s objectives.

‘Bottom Up’ Risk

6.1. Services identify clinical and operational risk and record through the Datix system. Each record is then subject to review by the Team Leader – after which the Quality Manager and Customer Engagement Manager will assess and escalate key risks as appropriate (looking for major concerns and trends). Risk management is also supported by the Business escalation and business continuity systems and processes.

6.2. A KORS (Key Opportunities Risks and Successes) approach is used for the capture and management of key operational and clinical risks – as the title suggests the KORS approach also enables the organisation to capture and manage key opportunities and celebrate and share successes. It enables groups and meetings to convey key risks, opportunities and successes in a clearer and more consistent way than, for example, a standard set of meeting minutes might.

6.3. ‘The KORS’ is a document (see appendix A for an example template – other presentations are used but must incorporate the same content) which is an output from a range of key meetings and functions. It is used - by team and topic led meetings – to focus their efforts in managing risk and to escalate the key risks to the next level up in the organisation so that the next level: are aware of the risks; can provide support where necessary to manage the risk and; can ensure that risks that in their opinion need further escalation are shared appropriately. It is important that the actions from previous KORS are reviewed to ensure completion or closure, and that we can demonstrate an audit trail of completed actions which are also communicated to those that originally raised the risk. The diagram in Appendix B sets out how risk is escalated through the organisation using the KORS approach.

6.4. What it does not do is score risk – it relies on managers to use the individual and collective judgements on what the key risks are – enabling them to focus on taking action rather than evaluating the severity. That collective judgement is based around a key risk being either something with a notable impact on the performance of the Business Unit or a significant impact on an individual service. If a risk is considered and not included the team should be clear that it is either of sufficiently low impact and/or likelihood of occurring to tolerate the risk or that the mitigating actions are already in place.

Top Down Risk

6.5On an annual basis the Board agree the key strategic risks. These are then used to prompt consideration and collation of the corporate risks facing the organisation. There are usually around 5 or 6 strategic risks and the total number of corporate risks is usually in the low to mid teens. These are managed by EMG members who lead on specific strategic risks. They are responsible for reviewing the Corporate Risk Log, updating the status and plans and assessing the gross, net and current likelihood and impact of the risk on a monthly basis. A 5x5 scoring scale is used for this. Their work and judgements take into consideration their knowledge of the organisation and input from SMG and TMG - both from 1-1 line management discussions and the KORS that have been escalated from the SMG and TMG meetings (and reviewed at EMG meetings. When a ‘current risk’ score is increased there should be a demonstrable change (upgrade) in the mitigating actions associated with that risk or a clear explanation of why no change is necessary. EMG initiate and delegate actions to manage the risks as appropriate.

6.6. While, put simply, risk is defined as ‘something that may happen with a negative impact’; in reality there will always be somethings that ‘have happened with a negative impact’ – these are classified as ‘Issues’. So we also have a Corporate Issue Log. To demonstrate the difference there have been one or two examples were items in the Corporate Risk Log have migrated to the Corporate Issue Log because the risk has become reality. The Corporate Issue Log is also managed by EMG, who are responsible for reviewing the Corporate Issue Log, updating the status and plans and assessing impact of the issue on a monthly basis. Their work and judgements take into consideration their knowledge of the organisation and input from SMG and TMG – both from 1-1 line management discussions and the KORS that have been escalated from the SMG and TMG meetings –and reviewed at EMG meetings. EMG initiate and delegate action to manage the issues as appropriate.

Joining things up

6.7. Risks from the KORS – particularly those escalated by SMG, TMGand the Business Unit KORS are considered by EMG for inclusion in the Corporate Risk or Issues Logs. However our Assurance Map has highlighted that the link between the two is not evident on a small number of occasions. So if EMG decide not to include something that has been escalated the reason should be made clear in the minutes of their meeting and reported back to SMT and onward to the source of the risk or issue.

6.8. The KORS (blue documents in Appendix B) provide a virtual risk register for the ‘Bottom Up’ risks. They provide a comprehensive coverage of the various strands of the organisation. While they are not formally joined up they are all reviewed by either SMG or TMGregularly and as such are considered in a similar way to that of a traditional risk register.

6.9 The Corporate Risk Log is reviewed on a regular basis by SMG – who then consider the strategic risks in the context of their own Business Unit and Enabler KORS as appropriate.

7. Getting Assurance about risk – Business Assurance Map

7.1. The risk management process also has a mechanism for routinely considering all the key facets of the organisation – to make sure we’re not missing something and so that management and the Board can keep the ‘big picture’ in focus.

7.2. We have an Business Assurance Map (BAM) that sets out 18 ‘pillars’ (or facets) of the organisation – and states the objective of that pillar, risks to delivery of that objectives, how we assess risk and where that risk is reported. The pillars cover Clinical Quality, Enablers (such as workforce), Strategic matters and Finance and Performance. On a quarterly basis SMG assess the risk to delivery of each pillar, using the evidence gathered from the reporting structure, and RAG rate each pillar accordingly based on the level of risk identified from information or the gaps in information which prevent a robust assessment. A narrative is added to explain the context of rating. The Map is then shared with EMG and ARC.